Threat Actor Profile
High APT
Description

Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015)

Confidence Score
90%
Known Aliases
Axiom Group 72
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (16)
T1005 - Data from Local System
Collection
T1560 - Archive Collected Data
Collection
T1001.002 - Steganography
Command and Control
T1003 - OS Credential Dumping
Credential Access
T1078 - Valid Accounts
Defense Evasion
T1553 - Subvert Trust Controls
Defense Evasion
T1203 - Exploitation for Client Execution
Execution
T1189 - Drive-by Compromise
Initial Access
T1190 - Exploit Public-Facing Application
Initial Access
T1566 - Phishing
Initial Access
T1021.001 - Remote Desktop Protocol
Lateral Movement
T1563.002 - RDP Hijacking
Lateral Movement
T1546.008 - Accessibility Features
Privilege Escalation
T1583.002 - DNS Server
Resource Development
T1583.003 - Virtual Private Server
Resource Development
T1584.005 - Botnet
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Axiom', 'Group 72'],
 'created': '2017-05-31T21:31:45.629Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Axiom](https://attack.mitre.org/groups/G0001) is a suspected '
                'Chinese cyber espionage group that has targeted the '
                'aerospace, defense, government, manufacturing, and media '
                'sectors since at least 2008. Some reporting suggests a degree '
                'of overlap between '
                '[Axiom](https://attack.mitre.org/groups/G0001) and [Winnti '
                'Group](https://attack.mitre.org/groups/G0044) but the two '
                'groups appear to be distinct based on differences in '
                'reporting on TTPs and targeting.(Citation: Kaspersky Winnti '
                'April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: '
                'Novetta Winnti April 2015)',
 'external_references': [{'external_id': 'G0001',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0001'},
                         {'description': '(Citation: Cisco Group 72)',
                          'source_name': 'Group 72'},
                         {'description': '(Citation: Novetta-Axiom)',
                          'source_name': 'Axiom'},
                         {'description': 'Esler, J., Lee, M., and Williams, C. '
                                         '(2014, October 14). Threat '
                                         'Spotlight: Group 72. Retrieved '
                                         'January 14, 2016.',
                          'source_name': 'Cisco Group 72',
                          'url': 'http://blogs.cisco.com/security/talos/threat-spotlight-group-72'},
                         {'description': "Kaspersky Lab's Global Research and "
                                         'Analysis Team. (2013, April 11). '
                                         'Winnti. More than just a game. '
                                         'Retrieved February 8, 2017.',
                          'source_name': 'Kaspersky Winnti April 2013',
                          'url': 'https://securelist.com/winnti-more-than-just-a-game/37029/'},
                         {'description': 'Novetta Threat Research Group. '
                                         '(2015, April 7). Winnti Analysis. '
                                         'Retrieved February 8, 2017.',
                          'source_name': 'Novetta Winnti April 2015',
                          'url': 'https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf'},
                         {'description': 'Novetta. (n.d.). Operation SMN: '
                                         'Axiom Threat Actor Group Report. '
                                         'Retrieved November 12, 2014.',
                          'source_name': 'Novetta-Axiom',
                          'url': 'https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf'},
                         {'description': 'Tarakanov, D. (2015, June 22). Games '
                                         'are over: Winnti is now targeting '
                                         'pharmaceutical companies. Retrieved '
                                         'January 14, 2016.',
                          'source_name': 'Kaspersky Winnti June 2015',
                          'url': 'https://securelist.com/games-are-over/70991/'}],
 'id': 'intrusion-set--a0cb9370-e39b-44d5-9f50-ef78e412b973',
 'modified': '2025-04-16T20:37:36.790Z',
 'name': 'Axiom',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '2.0'}
Quick Actions
Related TTPs (16)
Data from Local System
Collection
Archive Collected Data
Collection
Steganography
Command and Control
OS Credential Dumping
Credential Access
Valid Accounts
Defense Evasion
View All 16 TTPs
Back to Threat Actors
Dashboard Home